3b4fc2a2e594506881d82a8c418e9bcf572b3269dfab952f5ef70ea6a8838884

Analysis

max time kernel
91s
max time network
99s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
06/08/2024, 13:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

RevoUninstaller_Portable/LicenseAgreement.txt
Size

6KB
MD5

13d3876c402174dcd9239c60f559fa7d
SHA1

1cdda259609df4c18ff13aa2f7a4e475e1ef1945
SHA256

079a40fdcab2f7bedf66cd9ab26fce42d2057ef899eba7fb367d9f6981b30267
SHA512

8e8e04401c5a4637d110d4ad718321f027cb39f1a366e021584f657dbe30c01384f60a82ddaf6ff2e4291f8354d026723515b0029059f064a17ca7d44d0fae6f
SSDEEP

96:oxfbLEJB34LGPy2ZJ4bTw7aw4ri2q9uCosEt+i4B7KVrVHBhyo/fKhwsi:onLs3fLbnEtj+7gZH3Z/Ch2

Score

4^/10

discovery

Malware Config

Signatures

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Crashpad\metadata	setup.exe
File opened for modification	C:\Program Files\Crashpad\settings.dat	setup.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RevoUPort.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
3112	NOTEPAD.EXE

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1568	chrome.exe
Token: SeCreatePagefilePrivilege	1568	chrome.exe

Suspicious use of FindShellTrayWindow 9 IoCs

pid	Process
2372	RevoUn.exe
2372	RevoUn.exe
2372	RevoUn.exe
2372	RevoUn.exe
2372	RevoUn.exe
2372	RevoUn.exe
2372	RevoUn.exe
2372	RevoUn.exe
2372	RevoUn.exe

Suspicious use of SendNotifyMessage 9 IoCs

pid	Process
2372	RevoUn.exe
2372	RevoUn.exe
2372	RevoUn.exe
2372	RevoUn.exe
2372	RevoUn.exe
2372	RevoUn.exe
2372	RevoUn.exe
2372	RevoUn.exe
2372	RevoUn.exe

Suspicious use of SetWindowsHookEx 15 IoCs

pid	Process
2372	RevoUn.exe
2372	RevoUn.exe
2372	RevoUn.exe
2372	RevoUn.exe
2372	RevoUn.exe
2372	RevoUn.exe
2372	RevoUn.exe
2372	RevoUn.exe
2372	RevoUn.exe
2372	RevoUn.exe
2372	RevoUn.exe
2372	RevoUn.exe
3416	setup.exe
4040	setup.exe
2372	RevoUn.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 3504 wrote to memory of 2372	3504	RevoUPort.exe	94
PID 3504 wrote to memory of 2372	3504	RevoUPort.exe	94
PID 2372 wrote to memory of 3416	2372	RevoUn.exe	95
PID 2372 wrote to memory of 3416	2372	RevoUn.exe	95
PID 3416 wrote to memory of 4040	3416	setup.exe	96
PID 3416 wrote to memory of 4040	3416	setup.exe	96
PID 3416 wrote to memory of 1568	3416	setup.exe	97
PID 3416 wrote to memory of 1568	3416	setup.exe	97
PID 1568 wrote to memory of 2364	1568	chrome.exe	98
PID 1568 wrote to memory of 2364	1568	chrome.exe	98
PID 1568 wrote to memory of 4744	1568	chrome.exe	99
PID 1568 wrote to memory of 4744	1568	chrome.exe	99
PID 1568 wrote to memory of 4744	1568	chrome.exe	99
PID 1568 wrote to memory of 4744	1568	chrome.exe	99
PID 1568 wrote to memory of 4744	1568	chrome.exe	99
PID 1568 wrote to memory of 4744	1568	chrome.exe	99
PID 1568 wrote to memory of 4744	1568	chrome.exe	99
PID 1568 wrote to memory of 4744	1568	chrome.exe	99
PID 1568 wrote to memory of 4744	1568	chrome.exe	99
PID 1568 wrote to memory of 4744	1568	chrome.exe	99
PID 1568 wrote to memory of 4744	1568	chrome.exe	99
PID 1568 wrote to memory of 4744	1568	chrome.exe	99
PID 1568 wrote to memory of 4744	1568	chrome.exe	99
PID 1568 wrote to memory of 4744	1568	chrome.exe	99
PID 1568 wrote to memory of 4744	1568	chrome.exe	99
PID 1568 wrote to memory of 4744	1568	chrome.exe	99
PID 1568 wrote to memory of 4744	1568	chrome.exe	99
PID 1568 wrote to memory of 4744	1568	chrome.exe	99
PID 1568 wrote to memory of 4744	1568	chrome.exe	99
PID 1568 wrote to memory of 4744	1568	chrome.exe	99
PID 1568 wrote to memory of 4744	1568	chrome.exe	99
PID 1568 wrote to memory of 4744	1568	chrome.exe	99
PID 1568 wrote to memory of 4744	1568	chrome.exe	99
PID 1568 wrote to memory of 4744	1568	chrome.exe	99
PID 1568 wrote to memory of 4744	1568	chrome.exe	99
PID 1568 wrote to memory of 4744	1568	chrome.exe	99
PID 1568 wrote to memory of 4744	1568	chrome.exe	99
PID 1568 wrote to memory of 4744	1568	chrome.exe	99
PID 1568 wrote to memory of 4744	1568	chrome.exe	99
PID 1568 wrote to memory of 4744	1568	chrome.exe	99
PID 1568 wrote to memory of 4036	1568	chrome.exe	100
PID 1568 wrote to memory of 4036	1568	chrome.exe	100

C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\NOTEPAD.EXE C:\Users\Admin\AppData\Local\Temp\RevoUninstaller_Portable\LicenseAgreement.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:3112

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3136

C:\Users\Admin\AppData\Local\Temp\RevoUninstaller_Portable\RevoUPort.exe
"C:\Users\Admin\AppData\Local\Temp\RevoUninstaller_Portable\RevoUPort.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3504
- C:\Users\Admin\AppData\Local\Temp\RevoUninstaller_Portable\x64\RevoUn.exe
  C:\Users\Admin\AppData\Local\Temp\RevoUninstaller_Portable\x64\RevoUn.exe
  2⤵
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2372
- - C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe
    "C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe" --uninstall --system-level
    3⤵
    - Drops file in Program Files directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3416
  - - C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe
      "C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x288,0x28c,0x290,0x264,0x294,0x7ff7a4fe4698,0x7ff7a4fe46a4,0x7ff7a4fe46b0
      4⤵
      Drops file in Program Files directory
      Suspicious use of SetWindowsHookEx
      PID:4040
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --uninstall
      4⤵
      Enumerates system info in registry
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1568
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ff80fd9cc40,0x7ff80fd9cc4c,0x7ff80fd9cc58
        5⤵
        
        PID:2364
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1836,i,10390415362906672489,8255916446234031415,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1816 /prefetch:2
        5⤵
        
        PID:4744
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1864,i,10390415362906672489,8255916446234031415,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2140 /prefetch:3
        5⤵
        
        PID:4036

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
99KB

MD5
48a1fbd66264e8cffca58675ce94e60b

SHA1
b0e202a786c76ccf8e364bc92c30a10e3ae2b634

SHA256
5c2ecefb4d06774ebc651b69aff35c10098ff4546a85d6444b6cc46fdedbb1da

SHA512
53efdacfc765cd5f13f25cbe77f08946c9b7d858fd349da9b4ce5c5c3c35c97a89e49048045aabe4392e916ce2502cdf956eadc501ce5cea75b46d69749b098f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RevoUninstaller_Portable\settings.ini

Filesize
3KB

MD5
e8dd6bfec9511bf1c31cb9c68a85b8b2

SHA1
daeb0a5890d9c35aaa3642ec4df1673e471b83c7

SHA256
cb7a03fbeef81ecfd4554adcff489ea4b1a0474b20acb6d94e601141c239c671

SHA512
05f60766afe6c12f708cb07aa1d3a57b5c21f7d0848bae655a495b4207d5d31c7af3ccb37ed0db34b1a9c5bbd139aadf0a077b46a75cedab56f0a5aaf525ddd6

Download Submit